FOR IMMEDIATE RELEASE Friday, Oct. 29 1999
|
Contact: |
HHS Press Office (202)
690-6343
|
HHS Proposes First-Ever National Standards
To Protect Patients' Personal
Medical Records
HHS Secretary Donna E. Shalala proposed today the
first-ever set of national standards to protect the privacy of Americans'
personal health records. The standards will apply to medical records created by
health care providers, hospitals, health plans and health care clearinghouses
that are either transmitted or maintained electronically, and the paper
printouts created from these records.
"The privacy of Americans is protected in their bank transactions, their
credit card statements, and even their video rentals. Yet, until today,
Americans had no federal privacy protections for their medical records,"
Secretary Shalala said. "These proposed standards are an important step forward
in protecting the privacy of some of our most personal information."
Shalala noted that Americans are increasingly worried that the privacy of
their medical information will be violated. Some have even taken action to avoid
creating a medical record, including withholding information from their doctors,
changing doctors, or even avoiding care altogether. "We cannot allow the absence
of privacy protections to compromise the quality of care in our nation,"
Secretary Shalala said. "Our proposals will provide Americans with greater peace
of mind as they seek care, yet they are balanced with the need to protect public
health, conduct medical research and improve the quality of health care for the
nation."
The bipartisan Health Insurance Portability and Accountability Act of 1996
(HIPAA) -- also known as the Kassebaum-Kennedy law -- called on Congress to
enact comprehensive national medical record privacy standards by Aug. 21, 1999.
If Congress was unable to meet that deadline, HIPAA required the Secretary of
HHS to issue final regulations by Feb. 21, 2000. Today's proposal marks the
beginning of that regulatory process.
The proposal reflects the five principles outlined by Secretary Shalala in
September 1997 as part of her Recommendations for Protecting the Confidentiality
of Individually Identifiable Health Information:
- Consumer Control. The standards provide consumers with important
new rights including, the right to see a copy of their medical records; the
right to request a correction to their medical records; and the right to
obtain documentation of disclosures of their health information.
- Accountability. The statute includes new penalties for violations
of a patient's right to privacy. These penalties include, for violations of
the privacy standards by the persons subject to them, civil monetary penalties
of up to $25,000 per person, per year, per standard. There are also
substantial criminal penalties applicable to certain types of violations of
the statute that are done knowingly: up to $50,000 and one year in prison for
obtaining or disclosing protected health information; up to $100,000 and up to
five years in prison for obtaining protected health information under "false
pretenses"; and up to $250,000 and up to 10 years in prison for obtaining
protected health information with the intent to sell, transfer or use it for
commercial advantage, personal gain or malicious harm.
- Public Responsibility. Privacy protections must be balanced with
the public responsibility to support such national priorities as protecting
public health, conducting medical research, improving the quality of care, and
fighting health care fraud and abuse. For example, public health agencies
routinely use health records in their efforts to protect the public from
outbreaks of infectious diseases. The new standards put in place how such
information should be released.
- Boundaries. With few exceptions, an individual's health care
information should be used for health purposes only, including treatment and
payment. For example, a hospital could use personal health information to
provide care, teach, train and conduct research and ensure quality. However,
employers who also function as health care providers or health plans would be
barred from using information for non-health purposes like hiring, firing or
determining promotions. Similarly, insurers could not use such information to
underwrite other products, such as life insurance.
- Security. Organizations that are entrusted with health information
must protect it against deliberate or inadvertent misuse or disclosure. The
proposed standards would require each covered organization to establish clear
procedures to protect patients' privacy, designate an official to monitor that
system and notify their patients about their privacy protection practices. In
addition, those who get information and misuse it would be subject to the
penalties outlined in the proposal.
The proposed standards would enhance the protections afforded by many
existing state laws. In circumstances where the federal rules and state laws are
in conflict, the stronger privacy protection would prevail. The proposed privacy
standards would apply to consumers whether they are privately insured, uninsured
or participants in public programs such as Medicare or Medicaid.
While the privacy standards proposed today are a significant step toward
protecting patients' confidentiality, HHS does not currently have the authority
to protect all medical records. Under HIPAA, HHS does not have the authority to
protect records that are maintained in paper form only. HIPAA also does not
allow HHS to issue standards for records that are maintained by other insurers,
or by employers for worker's compensation purposes. The proposed rule does not
establish appropriate restrictions on the use or redisclosure of such
information by likely recipients, such as researchers, life insurance issuers,
marketing firms, or administrative, legal and accounting services.
HHS also lacks the authority to provide Americans with the right to take
action in court when their medical information is used inappropriately -- a
critical consumer protection that only Congress can provide. The Clinton
Administration has called upon Congress to close these important gaps and enact
comprehensive national legislation to ensure that all medical records are
protected.
The proposed rule will be open for comment from the public for 60 days.
###
Note: For other HHS Press Releases and Fact Sheets pertaining to the subject of
this announcement, please visit our Press Release and Fact Sheet search engine
at: http://www.os.dhhs.gov/news/press/.